Disabling access based on location

ABSTRACT

The present invention specifies a location by externally receiving a signal, and disables from reading data stored in a recording medium in accordance with the specified location, thereby enabling to perform a process of preventing data leakage when a data storage apparatus is used at a location other than a predetermined location.

TECHNICAL FIELD

The present invention relates to a data storage apparatus which storesdata, a data processing apparatus which can perform input and outputprocesses with respect to data of, e.g., a multifunctional machine orthe like, an information processing system which includes at least thedata storage apparatus and the data processing apparatus, and a datastorage method which stores data by using the data storage apparatus.

BACKGROUND ART

In recent years, a technique that access of data stored in an apparatusis controlled based on location information of the apparatus has beendeveloped. In this technique, for example, with respect to a specificfile which was created at a user's residence and has been stored in acomputer, if the current location of the computer obtained by using,e.g., a GPS (Global Positioning System) function is a location otherthan the user's residence, access to the specific file (e.g., a diaryfile) is inhibited.

Similarly, there is a technique that latitude/longitude informationrepresenting an installation location of a semiconductor manufacturingapparatus is compared and checked with latitude/longitude informationrepresenting an installation location of a user apparatus to whichremote access should be permitted, and the remote access is disconnectedwhen it is judged as the result of the comparison that the informationrepresenting the installation location of the user apparatus is wrong(e.g., Japanese Patent Application Laid-Open No. 2001-306530).

Moreover, there is a technique that specific information representing animage storage apparatus of storing image data is administrated. Morespecifically, when the image data is requested from an externalapparatus, the image storage apparatus of storing the image data isspecified based on the specific information. Thus, for example, thestorage location of the image data can be freely and easily changedwithout deteriorating user's convenience by specifying the image storageapparatus of storing the image data in question on the basis of thespecific information (e.g., Japanese Patent Application Laid-Open No.2000-105677).

Besides, in recent years, external storage apparatuses such as a harddisk drive and the like become small but have large capacities, wherebyit is easier to store large-amount data in the external storageapparatus and then bring/move it to an arbitrary location. Moreover, forexample, there is a technique that various kinds of office automationequipment such as a multifunctional machine and the like connected to anetwork such as an internal LAN or the like has a hard disk drive ofstoring processed data built-in or use an external apparatus connectedto the network.

However, when it is thought that downsizing and mass storage have anegative side, there is a problem that an external storage apparatus(data storage apparatus) disposed at a location where secret data shouldbe administrated is brought out forth by a person who has an evilintention, and thus the data stored in the storage apparatus might leak.Thus, a demand for improvement of the technique capable of dealing withthis problem is deep.

In addition, there is a problem that, if the data to be administrated ineach office automation equipment (i.e., data processing apparatus)connected to the network is distributed and stored/processed, a datacapacity increases, and the data administration is more complicated anddifficult.

DISCLOSURE OF THE INVENTION

The present invention specifies a location by externally receiving asignal, and disables from reading data stored in a recording mediumaccording to the specified location, thereby enabling to perform aprocess of preventing data leakage when a data storage apparatus is usedat a location other than a predetermined location.

Further, the present invention receives location information externally,and disables from reading data stored in the recording medium accordingto the location represented by the received location information,thereby enabling to perform the process of preventing the data leakagewhen the data storage apparatus is used at a location other than thepredetermined location.

Furthermore, the present invention receives location information beingthe information concerning a data storage apparatus installationlocation from the data storage apparatus having a recording medium forstoring data, and judges based on the location represented by thereceived location information whether or not to use the data storageapparatus, thereby enabling to perform the process of preventing thedata leakage when the data storage apparatus is used at a location otherthan the predetermined location.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing the schematic structure of an informationprocessing system which is equipped with a data storage apparatusaccording to the embodiment of the present invention and networkequipment (data processing apparatus);

FIG. 2 is a block diagram showing an example of the internal structureof each of the MFP's (Multi Function Peripherals) 103 a, 103 b, 103 cand 104 shown in FIG. 1;

FIG. 3 is a block diagram showing an example of the hardware structureof the core unit 206 shown in FIG. 2 and its peripheral units;

FIG. 4 is a block diagram showing an example of the internal structureof the data storage apparatus 102 shown in FIG. 1;

FIG. 5 is a diagram showing that the location information provisioningterminals 100-A to 100-F provide location information to the datastorage apparatus 102, the MFP's 103 a to 103 c, and the MFP 104 throughclose-range communication;

FIG. 6 is a diagram showing an example of the access control informationto be held in the data storage apparatus 102;

FIG. 7 is a diagram showing an example of the access control informationto be held in the MFP's 103 a to 103 c and the MFP 104;

FIG. 8 is a diagram showing an example of access control information tobe held in the MFP 104;

FIG. 9 is a flow chart showing the boot process to be performed when thepower supply of the data storage apparatus 102 is turned on in theinformation processing system shown in FIG. 1;

FIGS. 10A and 10B are flow charts showing an example of the datasecurity protection process to be performed when the data storageapparatus 102 is activated outside the installation permission location;

FIG. 11 is a flow chart showing an example of the process that the datastorage apparatus 102 changes the network activation permission locationinformation 601 when the result of the step S806 in FIG. 9 is “NO”;

FIG. 12 is a flow chart showing an example of the process to beperformed when data writing from the MFP 104 to the data storageapparatus 102 is performed;

FIG. 13 is a diagram showing an example of the operation screen of eachof the MFP's 103 a to 103 c and the MFP 104 shown in FIG. 1;

FIG. 14 is a diagram showing an example of the message and the settingchange GUI (graphical user interface) to be displayed on the operationscreen 404 a of the operation unit 404;

FIG. 15 is a diagram showing an example of the screen to be used todisplay/change various setting areas concerning the data storageapparatus 102; and

FIG. 16 is a diagram showing an example of the access non-permissionmessage to be displayed on the operation screen 5 a of the operationunit 5.

BEST MODE FOR CARRYING OUT THE INVENTION

Hereinafter, the embodiment of the present invention will be explainedin detail with reference to the accompanying drawings.

Initially, the schematic structure of an information processing systemwhich is equipped with a data storage apparatus according to theembodiment of the present invention and network equipment (dataprocessing apparatus) will be explained. More specifically, FIG. 1 is adiagram showing the schematic structure of the information processingsystem equipped with the data storage apparatus according to theembodiment and the network equipment (data processing apparatus).

In FIG. 1, numerals 103 a, 103 b, 103 c and 104 respectively denote dataprocessing apparatuses acting as the network equipment. For example, thedata processing apparatus is a multifunctional apparatus, called an MFP(Multi Function Peripheral), which has a multi-purpose function. Thedata processing apparatuses 103 a to 103 c and 104 are respectivelyconnected to a network 101. Here, it is assumed throughout the presentapplication that the network equipment, the multifunctional apparatus,and the MFP are all equivalent to the data processing apparatus. In theembodiment, the network equipment 104, which is also called the MFP 104,is the color MFP capable of performing scanning, printing and the likein full color. Similarly, the network equipments 103 a to 103 c, whichare also called the MFP's 103 a to 103 c, are the black-and-white MFP'scapable of performing scanning, printing and the like in black andwhite. Numeral 105 denotes a computer terminal which has a function toconnect with the network 101, and a function to use a data storageapparatus 102 and the MFP's 103 a to 103 c and 104. That is, thecomputer terminal 105 is the general computer terminal which is used bya user for creating a document or the like. Incidentally, the computerterminal 105 is equipped with a display device such as a CRT (cathoderay tube), an LCD (liquid crystal display) and the like, and an inputdevice such as a keyboard, a mouse and the like capable of being handledby the user.

Numeral 102 denotes the data storage apparatus 102 which can beconnected to the network 101 and is equipped with a storage medium (orrecording medium) of storing various data. More specifically, the datastorage apparatus 102 contains as the recording medium a hard disk andconnects with the network 101 by using an iSCSI (Internet SCSI (SmallComputer System Interface)) protocol. Here, it should be noted that theiSCSI protocol is the protocol which is available to transmit andreceive, through an IP (Internet Protocol) network, an SCSI command usedin the communication between a storage and a computer. That is, by usingthe iSCSI protocol, it is possible to directly connect the data storageapparatus such as a large-capacity hard disk or the like onto a TCP/IP(Transmission Control Protocol/Internet Protocol) network such as aninter-office LAN (local area network) or the like, and it is thuspossible to share the connected data storage apparatus by pluralcomputers.

As described above, the data storage apparatus 102 saves and storesvarious data transmitted from the MFP's 103 a to 103 c and 104 throughthe network 101. Numerals 100-A, 100-B, 100-C, 100-D, 100-E and 100-Frespectively denote location information provisioning terminals each ofwhich provides location information to the data storage apparatus 102and the MFP's 103 a to 103 c and 104 through close-range communicationusing radio as shown in FIG. 5. Besides, each of the locationinformation provisioning terminals 100-A to 100-F stores floorinformation (representing, e.g., a floor number and a living room (orsitting room) number where the terminal in question is installed) aslocation information for specifying the location where each of thelocation information provisioning terminals 100-A to 100-F is installed,whereby such floor number information is transmitted as the locationinformation in response to requests from the data storage apparatus 102and the MFP's 103 a to 103 c and 104. Incidentally, the locationinformation is not limited to the floor number information. That is, asthe location information, it is preferable to use various informationsuch as information concerning latitude/longitude, informationconcerning virtual coordinates in a living room, and the like, accordingto a range and an object which are intended to administrate theinstallation location of the data storage apparatus 102.

(Structural Example of MFP's 103 a to 103 c and 104)

Next, an example of the internal structure of each of the MFP's 103 a to103 c and 104 will be explained.

FIG. 2 is a block diagram showing the example of the internal structureof each of the MFP's 103 a to 103 c and 104. Here, as previouslydescribed, the MFP 104 can process color images and documents, while theMFP's 103 a to 103 c can process black and white images and documents.That is, the difference between the MFP 104 and the MFP's 103 a to 103 cis only the above point, and other parts of the MFP 104 aresubstantially equivalent to those of the MFP's 103 a to 103 c. For thisreason, in the following, FIG. 2 will be explained with respect to thestructure of the MFP 104, and the structure of each of the MFP's 103 ato 103 c will be incidentally explained as needed.

In FIG. 2, numeral 3 denotes an HD (hard disk) which is provided in theMFP 104 and stores various data as needed, and numeral 5 denotes anoperation unit which includes a display part and an operation part. Thedisplay part is equipped with a screen that a user watches when handlingthe MFP 104, and the operation part is equipped with buttons and thelike that the user handles according to the displayed contents of thedisplay part. Numeral 6 denotes a formatter unit which extracts PDL(page-description language) data into image data.

Numeral 201 denotes a scanner unit which reads the image data from anoriginal, and numeral 202 denotes a scanner IP (image processor) unitwhich performs an image process to the image data read by the scannerunit 201. Numeral 203 denotes a FAX unit, typified by general facsimileor the like, which transmits and receives the image data by using atelephone line, and numeral 204 denotes an NIC (network interface card)unit which transmits and receives the image data and device informationthrough the network 101. Besides, a PDL unit is provided to extract thePDL data transmitted from a computer side into an image signal (e.g.,bitmap image signal). Numeral 206 denotes a core unit which controls therespective units, temporarily stores the image signals, and determinesdata input/output paths, in accordance with use of the MFP 104. Here,the HD 3, the operation unit 5, the formatter unit 6 and a locationinformation obtaining, unit 9 are connected to the core unit 206.

The image data output from the core unit 206 is processed through aprinter IP (image processor) unit 207 and a PWM (pulse width modulation)unit 208, and then the processed data is input to a printer unit 209.Then, in the printer unit 209, an image formation (print) process for apaper (printing media) is performed based on the input image data, andthe print-processed papers are output to a finisher unit 210 and thensubjected to a finishing process. Besides, the location informationobtaining unit 9 obtains the location information from closest one ofthe location information provisioning terminals 100-A to 100-F throughradio communication, and transfers the obtained information to the coreunit 206. Thus, the MFP's 103 a to 103 c and 104 resultingly have thelocation information obtaining unit 9. Consequently, even in a casewhere the installation location of the MFP changes or an organizationwhich uses the MFP changes (e.g., a change in personnel occurs); if thelocation information of the MFP's capable of being used in the printprocess is beforehand set by an administrator or the like of the network101, it is possible to prevent that a user erroneously uses thebefore-change MFP.

(Explanation of Core Unit 206)

FIG. 3 is a block diagram showing an example of the hardware structureof the core unit 206 shown in FIG. 2 and its peripheral units. The coreunit 206 includes a digital video I/F (interface) 121. Thus, the coreunit 206 is connected to the scanner IP unit 202 through the digitalvideo I/F 121. In the meantime, the core unit 206 is connected to the HD3, the operation unit 5, the formatter unit 6, the NIC unit 204 and thelocation information obtaining unit 9 respectively shown in FIG. 2through a core-unit main bus 125 (simply called a main bus 125hereinafter) and an I/F 120.

The image data read by the scanner unit 201 is transferred to a dataprocessing unit 124 through the scanner IP unit 202, the digital videoI/F 121 and the main bus 125. Likewise, a control command output fromthe scanner unit 201 is transferred to a CPU 122 through the scanner IPunit 202, the digital video I/F 121 and the main bus 125. Here, itshould be noted that the data processing unit 124 is the imageprocessing means for performing image processes such as a rotationprocess, a magnification change process and the like to the image data.The image data transferred from the scanner unit 201 and processed bythe data processing unit 124 is further transferred to the in-MFP HD 3or the NIC unit 204 through the main bus 125 and the I/F 120, inaccordance with the control command transferred to the CPU 122simultaneously with the image data.

When a print request command (including PDL data) is transmitted fromthe computer terminal 105 shown in FIG. 1 through the NIC unit 204, theCPU 122 which received the print request command through the I/F 120transfers the simultaneously transmitted PDL data to the formatter unit6 through the I/F 120. Then, the PDL data is extracted into the imagedata by the formatter unit 6, and the obtained image data is againtransferred to the data processing unit 124 through the I/F 120. Theimage data transferred from the formatter unit 6 is subjected to theimage process by the data processing unit 124, and the processed imagedata is further transferred to the printer IP unit 207 through the I/F120. Thus, the image data is print-output through the printer IP unit207, the PWM unit 208, the printer unit 209 and the finisher unit 210 asshown in FIG. 2.

In the above operation, the CPU 122 appropriately confirms the status inthe formatter unit 6 and the status in IP unit 207, the PWM unit 208,the printer unit 209 and the finisher unit 210, and thus notifies theNIC unit 204, the location information obtaining unit 9 or the operationunit 5 of the status concerning the printing through the I/F 120.Moreover, the CPU 122 totally controls the above operation according toa control program stored in a memory 123 and the control commandtransferred from the scanner unit 201. Besides, the memory 123 is alsoused as the working area of the CPU 122.

As just described, the core unit 206 can control the data flow among thescanner unit 201, the scanner IP unit 202, the in-MFP HD 3, the NIC unit204 and the formatter unit 6, whereby the core unit 206 can effectivelyperform the combined process including the original image readingfunction, the image print function, the data exchange function (betweenthe core unit 206 and the computer terminal 105), and the like.

(Internal Structure of Data Storage Apparatus 102)

FIG. 4 is a block diagram showing an example of the internal structureof the data storage apparatus 102 shown in FIG. 1. In FIG. 4, numeral401 denotes a location information obtaining unit which obtains thelocation information shown in FIG. 5 from closest one of the locationinformation provisioning terminals 100-A to 100-F through close-rangeradio communication, and numeral 402 denotes a storage medium unit whichis a large-capacity hard disk for storing various data. Besides, thestorage medium unit 402 also stores access control information using thelocation information. Numeral 403 denotes a network I/F unit which canbe connected to the network 101 by using the iSCSI protocol and thusexchange the various data through the network 101. Numeral 404 denotesan operation unit which includes a display part of displayinginformation concerning the status of the data storage apparatus 102, anerror and the like, and operation buttons to be used by the user tohandle the data storage apparatus 102.

Numeral 405 denotes a CPU which totally controls the entire process ofthe data storage apparatus 102 and holds therein an encryption key forencryption. When writing/reading data to/from the storage medium unit402, the CPU 405 encrypts/decrypts the data by using the held encryptionkey as needed. Beside, the CPU 405 controls the location informationobtaining unit 401, the storage medium unit 402, the network I/F 403 andthe operation unit 404 through a CPU bus 408 and an I/F 407. In anyevent, the detail in the case where the CPU 405 encrypts/decrypts thedata will be described later. Numeral 406 denotes a memory which acts asthe work memory of the CPU 405. It should be noted that the structure ofthe data storage apparatus 102 is not limited to the above. That is, itonly has to be the structure which at least has a function to store thedata and enable the computer to read the stored data, a function toobtain the location information, and a function to perform variousprocesses to the stored data according to the obtained locationinformation.

(Example of Access Control Information Held in Data Storage Apparatus102)

An example of the access control information to be held in the datastorage apparatus 102 will be explained hereinafter.

FIG. 6 is a diagram showing an example of the access control informationto be held in the data storage apparatus 102. In FIG. 6, currentlocation information 600 is the location information obtained by thelocation information obtaining unit 401 and is also the informationconcerning the current location of the data storage apparatus 102. Asshown in FIG. 6, floor information “31 living room (window side)” isstored as the current location information 600. Here, “31 living room”indicates a living room of the first room on the third floor. Morespecifically, the second-digit number “3” indicates the floor number,the first-digit number “1” indicates the room number, and the lastcharacters “living room” indicates the kind of room. That is, forexample, “42 laboratory” indicates a laboratory of the second room onthe fourth floor. In the meantime, “window side” is the informationwhich is added, as needed, in the case where the location information isobtained from the terminal, such as the location informationprovisioning terminal 100-C or 100-F of FIG. 1, located at the windowside. In the embodiment, the location information indicated by the samefloor information as “31 living room (window side)” or “42 laboratory”described above is used as the location information hereinafter.

Network activation permission location information 601 is theinformation for defining the area where the data storage apparatus 102is shifted as being connected to the network 101. In FIG. 6, “31 livingroom” is defined as the network activation permission locationinformation 601. In a case where the location information obtained bythe location information obtaining unit 401 indicates the location otherthan that defined by the network activation permission locationinformation 601, it is controlled by the data storage apparatus 102itself not to establish the network connection.

HD installation permission location information 602 is the informationfor defining the range where the data storage apparatus 102 is broughtout. In FIG. 6, the two rooms of “31 living room” and “32 living room”are defined as the HD installation permission location information 602.In case of changing and mending the setting of the data storageapparatus 102, it is necessary to do so within the area defined by theHD installation permission location information 602. In a case where thelocation information obtained by the location information obtaining unit401 is outside the area in question, a process for preventing dataleakage is performed for confidentiality if a “predetermined condition”is satisfied. That is, for example, the encryption key held in the CPU405 is invalidated, or the data held in the storage medium unit 402 isdeleted. Incidentally, an example of the “predetermined condition”necessary to perform the process for preventing data leakage and theconcrete process operation concerning the “predetermined condition” willbe described later.

Group equipment installation location information 603 is the informationfor defining the installation locations of the MFP's 103 a to 103 c and104 which access the data storage apparatus 102 by using the iSCSIprotocol. More specifically, the group equipment installation locationinformation 603 is obtained by associating the location information witha group ID. Here, the group ID is to specify the equipment group of theMFP's 103 a to 103 c and 104 (i.e., in units of department, in units ofinstallation location, or the like), and the location information is tospecify the installation location of the equipment which belongs to thegroup ID in question. In FIG. 6, the location information “31 livingroom, 32 living room, 42 laboratory, 43 laboratory” is associated withthe group ID “NATTO1”.

Moreover, correspondence information of the group ID and an access keyis the information which defines a group ID 604 being the informationfor specifying the equipment group and an access key 605 being the key(e.g., character string) for permitting the equipment groupcorresponding to the group ID 604 to access the hardware storageapparatus. In FIG. 6, the combination of “NATTO1” and “XXX” and thecombination of “NATTO2” and “YYY” are shown as the correspondenceinformation of the group ID 604 and the access key 606.

(Example of Access Control Information Held in MFP's 103 a to 103 c andMFP 104)

Next, examples of the access control information to be held in the MFP's103 a to 103 c and the MFP 104 will be explained hereinafter.

FIGS. 7 and 8 are diagrams respectively showing the examples of theaccess control information to be held in the MFP's 103 a to 103 c andthe MFP 104, and FIG. 7 will be explained hereinafter. In FIG. 7,current location information 700 is the location information obtained bythe location information obtaining unit 9 and is also the informationconcerning the current location of each of the MFP's 103 a to 103 c.More specifically, as shown in FIG. 7, floor information “31 living room(window side)” is stored as the current location information 700.Moreover, group equipment installation location information 501 is theinformation for defining the installation locations of the MFP's 103 ato 103 c and 104 in the corresponding equipment group to which theseMFP's and the like belong. As shown in FIG. 7, each of the MFP's 103 ato 103 c can be installed in “31 living room, 32 living room, 42laboratory, 43 laboratory”.

Moreover, correspondence information of the group ID and an access keyis the information which defines a group ID 502 being the informationfor specifying the equipment group and an access key 503 being the key(e.g., character string) for permitting the equipment groupcorresponding to the group ID 502 to access the hardware storageapparatus. In FIG. 7, the combination of “NATTO1” and “XXX” is shown asthe correspondence information of the group ID 502 and the access key503. Besides, box discrimination information 504 is the information fordiscriminating the data storage apparatus 102, and an HDID (hard diskID) is used in the embodiment. In FIG. 7, the HDID “SHARED BOX-A” fordiscriminating the data storage apparatus 102 is stored as the boxdiscrimination information 504.

Then, the information example shown in FIG. 8 is the information exampleof the MFP 104 similar to that of each of the MFP's 103 a to 103 c,whereby the explanation thereof will be omitted. Incidentally, each ofthe MFP's 103 a to 103 c and 104 obtains a set of the group ID 502 towhich the MFP in question belongs and the access key 503 whichcorresponds to the group ID in question, from the data storage apparatus102. At that time, only when the MFP's 103 a to 103 c and 104 areinstalled respectively at the locations defined by the group equipmentinstallation location information 501, they can obtain the access key503 from the data storage apparatus 102 (or the access key 605 in thedata storage apparatus 102).

Next, the process to be performed when the power supply of the datastorage apparatus 102 is turned on in the information processing systemshown in FIG. 1 will be explained. More specifically, a boot (orstart-up) process of the data storage apparatus 102 and a box expansionprocess to be performed according to the boot process in the MFP's 103 ato 103 c and 104 connected to the network 101 will be explained. Here,it should be noted that the box expansion process is the process toregister the data storage apparatus 102 as a hard disk capable ofwriting/reading data in the MFP's 103 a to 103 c and 104. That is, ineach of the MFP's 103 a to 103 c and 104, a “box” indicates the datastorage apparatus 102 registered to be usable by the MFP.

FIG. 9 is a flow chart showing the boot process to be performed when thepower supply of the data storage apparatus 102 is turned on in theinformation processing system shown in FIG. 1. In a step S801, when auser turns on the power supply of the data storage apparatus 102, asshown in FIG. 9, the data storage apparatus 102 causes the locationinformation obtaining unit 401 to perform the location informationobtaining process shown in FIG. 5 to obtain the location informationfrom the closest one of the location information provisioning terminals100-A to 100-F. Next, in a step S802, it is judged by the data storageapparatus 102 whether or not the location information obtaining unit 401can obtain the location information. When judged that the locationinformation obtaining unit 401 can obtain the location information(i.e., YES in the step S802), the data storage apparatus 102 sets theobtained location information to the current location information 600shown in FIG. 6 as the information concerning the current location, andthe flow advances to a step S804. Meanwhile, when judged that thelocation information obtaining unit 401 cannot obtain the locationinformation (i.e., NO in the step S802), the flow stops in a step S803and then returns to the step S801 to again perform the locationinformation obtaining process. That is, after turning on the powersupply, the data storage apparatus 102 repeats the location informationobtaining step until obtaining it. Thus, during this time, the datastorage apparatus 102 is in the state incapable of accessing data.

Next, in the step S804, it is judged by the data storage apparatus 102whether or not the obtained location information (i.e., information setto the current location information 600) coincides with the HDinstallation permission location information 602. When judged that theobtained location information coincides with the HD installationpermission location information 602 (i.e., YES in the step S804), theflow advances to a step S806. Meanwhile, when judged that the obtainedlocation information does not coincide with the HD installationpermission location information 602 (i.e., NO in the step S804), thedata storage apparatus 102 performs the process in a step S805-7 shownin FIG. 10A. In the step S805-7, a data security protection process isperformed so that the data does not leak outside.

Here, the process shown in FIG. 10A will be explained.

FIG. 10A is the flow chart showing an example of the data securityprotection process to be performed when the data storage apparatus 102is activated outside the installation permission location. As shown inFIG. 10A, in the step S805-7, the data storage apparatus 102 performsthe process to invalidate the encryption key held in the CPU 405 andalso delete the data held in the storage medium unit 402. Next, in astep S805-8, the power supply of the data storage apparatus 102 isturned off. Thus, when the data storage apparatus 102 is activatedoutside the location defined by the HD installation permission locationinformation 602 shown in FIG. 6, such activation is considered asimproper activation, and therefore the encryption key and the storeddata are deleted to protect data security.

Again, in FIG. 9, it is judged by the data storage apparatus 102 in thestep S806 whether or not the location information defined by the currentlocation information 600 coincides with the network activationpermission location information 601. When judged that the locationinformation coincides with the network activation permission locationinformation 601 (i.e., YES in the step S806), the flow advances to astep S807. Meanwhile, when judged that the location information does notcoincide with the network activation permission location information 601(i.e., NO in the step S806), the data storage apparatus 102 performs theprocess in steps S901 to S903 shown in FIG. 11. The details of theprocess in FIG. 11 will be explained later.

Subsequently, in the step S807, the data storage apparatus 102broadcasts the current location information 600 and the HDID to theMFP's 103 a to 103 c and 104. In the following, the process to beperformed when the current location information 600 and the HDIDtransmitted from the data storage apparatus 102 are received by the MFP104 will be explained. Initially, in a step S810, the MFP 104 receivesand obtains the current location information 600 and the HDID from thedata storage apparatus 102. Next, in a step S811, it is judged by theMFP 104 whether or not the current location information 600 of the datastorage apparatus 102 coincides with the group equipment installationlocation information 501. When judged that the current locationinformation 600 coincides with the group equipment installation locationinformation 501 (i.e., YES in the step S811), the flow advances to astep S812 to transmit the current location information 700 of the MFP104 and the group ID 502 to the data storage apparatus 102. Then, thedata storage apparatus 102 receives the current location information 700of the MFP 104 and the group ID 502, and the flow advances to a stepS808. Meanwhile, when judged that the current location information 600does not coincide with the group equipment installation locationinformation 501 (i.e., NO in the step S811), the flow returns to thestep S810 to wait for the current location information 600 and the HDIDtransmitted from the data storage apparatus 102.

Then, in the step S808, the data storage apparatus 102 receives thecurrent location information 700 and the group ID 502 from the MFP 104.Thus, it is judged whether or not the values of the current locationinformation 700 and the group ID 502 coincide with the group equipmentinstallation location information 603 being the access controlinformation held in the data storage apparatus 102. When judged that thevalues of the current location information 700 and the group ID 502coincide with the group equipment installation location information 603(i.e., YES in the step S808), the flow advances to a step S809.Meanwhile, when judged that the values of the current locationinformation 700 and the group ID 502 do not coincide with the groupequipment installation location information 603 (i.e., NO in the stepS808), the boot process ends, and then an ordinary process is performed.

Next, in the step S809, to the MFP 104 which transmitted the group ID502 and the current location information 700, the data storage apparatus102 transmits a set of the group ID 604 being the same as the group ID502 and the corresponding access key 605. Thus, in a step S813, the MFP104 obtains the group ID 604 of the data storage apparatus 102 and thecorresponding access key 605, and stores them as the group ID 502 andthe corresponding access key 503. Subsequently, in a step S814, the MFP104 expands the data storage apparatus 102 as the box, and displays theHDID “SHARED BOX-A” of the data storage apparatus 102 in a boxdiscrimination information display area 1100 on an operation screen 5 aof the operation unit 5 as shown in FIG. 13. Thus, the MFP 104 can storethe data in the data storage apparatus 102, and the box expansionprocess ends. Here, it should be not that each of the MFP's 103 a to 103c and 104 performs the process shown in the flow chart of FIG. 9.

FIG. 13 is the diagram showing an example of the operation screen ofeach of the MFP's 103 a to 103 c and the MFP 104 shown in FIG. 1. Asshown in FIG. 13, the information “32 living room” concerning theinstallation location of the data storage apparatus 102 of which theHDID is displayed in the box discrimination information display area1100 is also displayed on the operation screen 5 a. Besides, a scanindication button 1101 for indicating the scanner unit 201 to read anoriginal and record the read original image data to the shared box-A(=data storage apparatus 102) is included in the operation screen 5 a.Moreover, a print indication button 1102 for indicating the printer unit209 to print the image data stored in the shared box-A (=data storageapparatus 102) and a transmission indication button 1103 for indicatingthe FAX unit 203 to transmit the image data stored in the shared box-A(=data storage apparatus 102) are likewise included in the operationscreen 5 a.

As described above, the data storage apparatus 102 in the embodiment canconfirm the installation location of the apparatus itself when the powersupply is turned on, confirm the mutual installation locations of theMFP's 103 a to 103 c and 104, and then write/read the data to/from theMFP's 103 a to 103 c and 104. That is, the data can betransmitted/received under the circumstance that the mutual locations ofthe equipments (data storage apparatus 102, MFP's 103 a to 103 c, andMFP 104) on the network can be assured. Specifically, in the informationprocessing system according to the embodiment, the confirmation (firstcheck) as to whether or not the installation location of the datastorage apparatus 102 itself at the time of activation is appropriate,the confirmation (second check) as to whether or not the installationlocation of the data storage apparatus 102 is appropriate for the MFP's103 a to 103 c and 104, and the confirmation (third check) as to whetheror not the installation locations of the MFP's 103 a to 103 c and 104are appropriate for the data storage apparatus 102 are performed. Thus,by such triple checks, it is possible to prevent that the data stored inthe data storage apparatus 102 is used at the location other than thepredetermined location. Moreover, as shown in FIGS. 10A and 10B, whenthe data storage apparatus 102 is used at the location other than thepredetermined location, the data storage apparatus 102 itself canperform the process to prevent data leakage.

It should be noted that, in the embodiment, the process to prevent dataleakage is not limited to the process of FIG. 10A. That is, the processshown in FIG. 10B may be performed. Hereinafter, another process shownin FIG. 10B to prevent data leakage will be explained.

FIG. 10B is the flow chart showing another example of the data securityprotection process to be performed when NO in the step S804 of FIG. 9.First, in a step S805-1, the data storage apparatus 102 displays amessage as shown in FIG. 16 on the operation screen 5 a of the operationunit 5 to inform the user that access is impossible because theinstallation location is inappropriate. Also, the data storage apparatus102 displays a return password input section 1401 to request the user toinput a password for returning data access.

Next, in a step S805-2, the data storage apparatus 102 encrypts, byusing an encryption key held in the CPU 405, a file administration tablein the storage medium unit 402, whereby it is possible to further reducerisk of data leakage in the storage medium unit 402. Then, in a stepS805-3, the data storage apparatus 102 waits until the user inputs thepassword to the return password input section 1401 (i.e., returnoperation). In such a case, while the data storage apparatus 102 iswaiting for the return operation in the step S805-3, the user can shiftor move the data storage apparatus 102 to an appropriate location. Here,it should be noted that the password in question is the informationwhich has already been notified to the normal user of the data storageapparatus 102.

When the correct password is input to the return password input section1401 (i.e., YES in the step S805-3), the flow advances to a step S805-4.Meanwhile, when the correct password is not input to the return passwordinput section 1401 and a certain period of time elapses (i.e., NO in thestep S805-3), the flow advances to a step S805-7 to perform a datadeletion (or erasure) process. Incidentally, it should be noted that theprocess in the steps S805-7 to S805-8 shown in FIG. 10B is equivalent tothat in the steps S805-7 to S805-8 shown in FIG. 10A, whereby theexplanation thereof will be omitted.

In the step S805-4, the location information obtaining unit 401 of thedata storage apparatus 102 obtains the location information from theclosest one of the location information provisioning terminals 100-A to100-F as shown in FIG. 5, whereby the obtained location information isset to the current location information 600 shown in FIG. 6. Then, inthe step S805-5, it is judged by the data storage apparatus 102 whetheror not the obtained location information (i.e., the location informationset to the current location information 600) coincides with the HDinstallation permission location information 602. When judged that theobtained location information coincides with the HD installationpermission location information 602 (i.e., YES in the step S805-5), theflow advances to the step S805-6. Meanwhile, when judged that theobtained location information does not coincide with the HD installationpermission location information 602 (i.e., NO in the step S805-5), theflow returns to the step S805-3.

In the step S805-6, the data storage apparatus 102 decrypts, by usingthe encryption key held in the CPU 405, the file administration table inthe data storage apparatus 102 encrypted in the step S805-2. After theprocess in the step S805-6, the flow advances to the step S806 shown inFIG. 9.

As described above, when the data storage apparatus 102 is activatedoutside the defined location, it is possible to take various actionssuch as the data encryption, the data deletion and the like to preventthe data leakage in accordance with the condition of the data storageapparatus 102.

Next, the process that the data storage apparatus 102 changes thenetwork activation permission location information 601 when the resultof the step S806 in FIG. 9 is “NO” will be explained.

FIG. 11 is a flow chart showing an example of the process that the datastorage apparatus 102 changes the network activation permission locationinformation 601 when the result of the step S806 in FIG. 9 is “NO”.Initially, in the step S901, the data storage apparatus 102 displays amessage and a setting change GUI (graphical user interface) as shown inFIG. 14 on an operation screen 404 a of the operation unit 404. Here, itshould be noted that the displayed message is, for example, the messageto inform the user that the installation location of the data storageapparatus 102 is not the network activation permission location as shownin FIG. 14. Moreover, in FIG. 14, numeral 1200 denotes an update settinginput area which is used to urge the user to input an update settinglocation and a location update password. Numeral 1201 denotes a settingarea change button which is used to display the screen shown in FIG. 15on which the network activation permission location information 601, theHD installation permission location information 602 and the groupequipment installation location information 603 shown in FIG. 6 are setthrough the GUI. Incidentally, the contents of FIG. 15 will be laterexplained in detail.

When the user inputs the update setting location and the location updatepassword in the update setting input area 1200 shown in FIG. 14, in thestep S902, the data storage apparatus 102 accepts the update settinglocation and the location update password as the information forchanging the new network activation permission location information 601.Next, in the step S903, the data storage apparatus 102 judges whether ornot the location update password accepted in the step S902 isappropriate, and further judges whether or not the new networkactivation permission location information 601 (update setting location)is within the range of the HD installation permission locationinformation 602. Then, when judged that the location update password isappropriate and the new network activation permission locationinformation 601 is within the range of the HD installation permissionlocation information 602 (i.e., YES in the step S903), in a step S904,the data storage apparatus 102 updates the network activation permissionlocation information 601. Meanwhile, when judged that the locationupdate password is not appropriate and/or the new network activationpermission location information 601 is not within the range of the HDinstallation permission location information 602 (i.e., NO in the stepS903), the flow returns to the step S902.

As described above, the data storage apparatus 102 can set to update thenetwork connection location within a predetermined range (i.e., HDinstallation permission location range), whereby it is possible toprevent that the data storage apparatus 102 at an unanticipated locationis connected to the network 101, and it is thus possible to reduce riskof data leakage.

(Data Writing from MFP 104 to Data Storage Apparatus 102)

Next, an example of the process that, after the data storage apparatus102 was set as the box of the MFP 104 as the result of the boot processshown in FIG. 9, the data writing is performed from the MFP 104 to thedata storage apparatus 102 will be explained.

FIG. 12 is a flow chart showing the example of the process to beperformed when the data writing from the MFP 104 to the data storageapparatus 102 is performed. First of all, when the scan indicationbutton 1101 on the operation screen 5 a shown in FIG. 13 is depressed bythe user, in a step S1004, the MFP 104 recognizes such button depressionas an instruction to write scanner data to the box (data storageapparatus 102). Here, it should be noted that the instruction inquestion also includes an instruction to scan a paper original.

Next, in a step S1005, the MFP 104 causes, in response to theinstruction recognized in the step S1004, the scanner unit 201 to readthe paper original and create the data file to be stored in the box.Subsequently, in a step S1006, the MFP 104 adds the group ID 502 of theMFP 104 and the access key 503 of the data storage apparatus 102corresponding to the group ID 502 to the created data file. Morespecifically, the MFP 104 stores the group ID 502 and the access key 503in the attribute information of the data file. Next, in a step S1007,the MFP 104 transmits the created data file to the data storageapparatus 102 by using the iSCSI protocol. Thus, the data storageprocess to the box (data storage apparatus 102) by the MFP 104 ends.

Subsequently, in a step S1001, the data storage apparatus 102 receivesthe data file transmitted from the MFP 104. Next, in a step S1002, thedata storage apparatus 102 refers the attribute information of thereceived data file to judge whether or not the group ID 502 and theaccess key 503 added in the attribute information are proper. Whenjudged that the group ID 502 and the access key 503 are proper (i.e.,YES in the step S1002), the flow advances to a step S1003. In this step,the data storage apparatus 102 stores the received data file in thestorage area of the hard disk (storage medium unit 402) corresponding tothe group ID 502.

As described above, by registering the data storage apparatus 102 as thebox, the MFP 104 can use the data storage apparatus 102 as if it is abuilt-in hard disk.

(Example of Installation Area Setting Screen)

FIG. 15 is a diagram showing an example of the screen to be used todisplay/change the various setting areas concerning the data storageapparatus 102. Here, it should be noted that the screen shown in FIG. 15is the screen which is displayed when the setting area change button1201 of the operation screen 404 a shown in FIG. 14 is depressed by theuser. As shown in FIG. 15, it is possible to set a network activationpermission area 132, an HD installation permission area 131 and a groupequipment installation area 130 as the setting areas of the data storageapparatus 102 in the 31 living room and the 32 living room on the thirdfloor. Here, it should be noted that the network activation permissionarea 132, the HD installation permission area 131 and the groupequipment installation area 130 are the areas respectively specified bythe new network activation permission location information 601, the HDinstallation permission location information 602 and the group equipmentinstallation location information 603 shown in FIG. 6. On the screen,the user can change the setting area by using the GUI. Thus, bydisplaying the setting area visually, it is possible for the user toeasily know and grasp the mutual positional relation between theinstallation areas of the group equipment and the data storage apparatus102.

Incidentally, the process of the steps S810 to S814 shown in FIG. 9 andthe process of the steps S1004 to S1007 shown in FIG. 12 are achievedwhen the CPU 122 of each of the MFP's 103 a to 103 c and 104 executesthe programs for achieving these processes. Besides, the process of thesteps S801 to S809 shown in FIG. 9, the process of the steps S805-1 toS805-8 shown in FIGS. 10A and 10B, the process of the steps S901 to S904shown in FIG. 11, and the process of the steps S1001 to S1003 shown inFIG. 12 are achieved when the CPU 405 of the data storage apparatus 102executes the programs for achieving these processes.

Moreover, although the data storage apparatus 102 uses the hard disk asthe means for storing various data, the present invention is not limitedto this. That is, it is also suitable to use various recording mediasuch as non-volatile memories (flash memory, etc.) and the like as themeans for storing data. Besides, although the data storage apparatus 102includes the operation unit 404 having the display unit, the presentinvention is not limited to this. For example, the computer terminal 105shown in FIG. 1 may function as the operation unit 404. That is, thecomputer terminal 105 may display the screens shown in FIGS. 14 and 15by obtaining the status information, the access control information andthe like from the data storage apparatus 102.

Moreover, in the embodiment described as above, the programs forachieving the various processes shown in FIGS. 9, 10A, 10B, 11 and 12 inthe data storage apparatus 102 and the MFP's 103 a to 103 c and 104 areread from the memories and executed by the CPU's, thereby achieving thefunctions of these processes. However, the present invention is notlimited to this. That is, a part or all of the functions of therespective processes may be achieved by dedicated hardware.

Moreover, the above memory may include a magnetooptical disk, anon-volatile memory such as a flash memory or the like, a recordingmedium such as a CD-ROM or the like capable of performing only datareading, a volatile memory other than a RAM, or a computerreadable/writable recording medium made by composing such memories asabove.

Moreover, the present invention may be applied to a case where theprogram for achieving a part of the functions of the various processesin the data storage apparatus 102 and the MFP's 103 a to 103 c and 104is recorded on a computer-readable recording medium, the programrecorded on the recording medium in question is read and supplied into acomputer system, and the part of the processes is actually performedbased on the program supplied into the computer system. Here, it shouldbe noted that the computer system includes an OS (operating system),hardware such as peripherals and the like.

Moreover, the above program may be transmitted from the computer systemwhich has stored the program in question in its memory or the like toanother computer system through a transmission medium or a transmissionwave in the transmission medium. Here, it should be noted that thetransmission medium for transmitting the program is the medium which hasan information transmission function. For example, a network(communication network) such as the Internet or the like, acommunication network (communication line) such as a telephone networkor the like, and the like may be used as the transmission medium.

Moreover, the above program may achieve a part of the above functions.Besides, the above program may be a so-called difference file(difference program) capable of achieving the above functions through acombination with the program already recorded in the computer system.

Moreover, a program product such as a computer-readable recording mediumor the like on which the above program has been recorded may be appliedto the embodiment of the present invention.

As described above, the embodiment of the present invention has beenexplained in detail with reference to the attached drawings. However,the concrete structure and configuration are not limited to those in theabove embodiment. That is, the present invention includes designs andthe like which are within the range not departing from the concept ofthe present invention.

According to the present invention, it is controlled to disable fromreading the data stored in the recoding medium in accordance with thespecified location, whereby the process for preventing data leakage canbe performed when the data storage apparatus is used at the locationother then the predetermined location.

Besides, the data to be used in the data processing apparatus are storedand unitarily administrated in the data storage apparatus, whereby it ispossible to simplify the administration of the data to be used in theplural data processing apparatuses connected to the network.

This application claims priority from Japanese Patent Application No.2003-391064 filed Nov. 20, 2003, which is hereby incorporated byreference herein.

1. A data storage apparatus which has a recording medium for storingdata, comprising: an information storage unit adapted to store areainformation indicating plural areas respectively corresponding todifferent attributes; a location specifying unit adapted to externallyreceive a signal and thus specify a location; and a control unit adaptedto perform control to disable from reading the data stored in saidrecording medium if the location specified by said location specifyingunit is not within a first area corresponding to a first attribute, anddisable from changing the area information stored by said informationstorage unit if the location specified by said location specifying unitis not within a second area corresponding to a second attribute.
 2. Adata storage apparatus according to claim 1, wherein, when it is judgedthat the location is not within said second area, said control unitagain judges whether or not the location is within said first area afterperforming a restoration operation, and, when it is judged that thelocation is within said first area, said control unit enables to readthe data stored in said recording medium.
 3. A data storage apparatusaccording to claim 1, wherein, when the location is outside said secondarea, said control unit deletes the data stored in said recordingmedium.
 4. A data storage apparatus according to claim 1, wherein, whensaid location specifying unit cannot specify the location, said controlunit performs the control to disable from reading the data stored insaid recording medium.
 5. A data storage apparatus according to claim 1,wherein, if the location specified by said location specifying unit isnot within the second area, said control unit performs any one of aturning-off process of turning off a power supply of said recordingmedium, a, deleting process of deleting the data in said recordingmedium, and an encrypting process of encrypting the data in saidrecording medium, or performs a process obtained by combining theturning-off process, the deleting process and the encrypting process. 6.A data storage apparatus according to claim 5, further comprising: adata storage unit adapted to store encryption data for performing theencrypting process of encrypting the data in said recording medium,wherein, when performing the deleting process, said control unit deletesthe encryption data stored in said data storage unit.
 7. A data storageapparatus according to claim 1, further comprising: a communication unitadapted to perform communication with an external data processingapparatus through a network; an attribute information obtaining unitadapted to obtain attribute information of said data processingapparatus through said communication unit; and an issuance andtransmission unit adapted to issue access permission information forpermitting said data processing apparatus to access said recordingmedium in accordance with the attribute information, and transmit theissued access permission information to said data processing apparatusthrough said communication unit.
 8. A data storage apparatus accordingto claim 7, wherein the attribute information includes at leastinformation concerning an installation location of said data processingapparatus.
 9. A data storage apparatus according to claim 7, furthercomprising: a reception unit adapted to receive, together with theaccess permission information, an access request to said recordingmedium from said data processing apparatus through the network, whereinsaid control unit judges whether or not to permit the access to saidrecording medium on the basis of the access permission informationreceived by said reception unit.
 10. A data storage apparatus which hasa recording medium for storing data, comprising: an information storageunit adapted to store area information indicating plural areasrespectively corresponding to different attributes; a reception unitadapted to externally receive location information; and a control unitadapted to perform control to disable from reading the data stored insaid recording medium if the location represented by the locationinformation received by said reception unit is not within a first areacorresponding to a first attribute, and disable from changing the areainformation stored by said information storage unit if the locationrepresented by the location information received by said reception unitis not within a second area corresponding to a second attribute.
 11. Adata storage apparatus according to claim 10, wherein, when it is judgedthat the location is not within said second area, said control unitagain judges whether or not the location is within said first area afterperforming a restoration operation, and, when it is judged that thelocation is within said first area, said control unit enables to readthe data stored in said recording medium.
 12. A data storage apparatusaccording to claim 10, wherein, when the location is outside said secondarea, said control unit deletes the data stored in said recordingmedium.
 13. A data storage apparatus according to claim 10, furthercomprising: a communication unit adapted to perform communication withan external data processing apparatus through a network; an attributeinformation obtaining unit adapted to obtain attribute information ofsaid data processing apparatus through said communication unit; and anissuance and transmission unit adapted to issue access permissioninformation for permitting said data processing apparatus to access saidrecording medium in accordance with the attribute information, andtransmit the issued access permission information to said dataprocessing apparatus through said communication unit.
 14. A data storagemethod which uses a data storage apparatus having a recording medium forstoring data, comprising: a first step of storing area informationindicating plural areas respectively corresponding to differentattributes; a second step of externally receiving a signal and thusspecifying a location; a third step of performing control to disablefrom reading the data stored in the recording medium if the locationspecified in said second step is not within a first area correspondingto a first attribute; and a fourth step of performing control to disablefrom changing the area information if the location specified in saidsecond step is not within a second area corresponding to a secondattribute.